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Commissioner for Patents 
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Alexandria, VA 22313-1450 

Sir: 

DECLARATION OP PRIOR INVENTION IN THli UNITRD ST ATF.fi TO 
OVERCOME CI TED PATENT APPLICATION (37 C.F.R. Si nn 

Wc, John R. McGarvey and David Kuehr-McLaren, declare as follows: 

1 . We are the inventors of the invention entitled METHODS, SYSTEMS AND 
COMPUTER PROGRAM PRODUCTS FOR SECURE DELEGATION USING 
PUBLIC KEY AUTHENTICATION, disclosed and claimed in U.S. Patent Application 
Serial No. 09/92 J ,536 (hereinafter the '536 upplication), filed August 3, 2001, 

2. Tho invention disclosed and claimed in tho *536 application was conceived by us in 
the United States, at a date prior to June 20, 2001 which is the filing date and 35 U.S.C. 
§1 02(e) prior art date of U.S. Pat. App. Pub. No. US 2003/0018913 (hereinafter the '913 
application). 

3. In a final office action dated August 1 8, 2006, claims 1 , 23-29, 3 1 and 32 were 
rejected under 35 U.S.C. §103 as being unpatentable over the *913 application in view of 
U.S. Pat. No. 5, 535, 276 (hereinafter the '276 patent). Additionally, elaims 2, 3, 5, 7-11, 
14, 1 5 and 30 were rejected under 35 U.S.C. SI 03 a being unpatentable over the '91 3 
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application In view of the 4 276 patent and further in view of U.S. Pat. No. 6,829,356 
(hereinafter the '356 patent). Still further, claims 4, 6. 12. 13 and 20 were rejected under 
35 U.S.C. §103 a being unpatentable over thw *91 3 application in view of the '276 patent, 
the 4 356 patent and farther in view of Schneier - Applied Cryptography, Still further, 
claims 16-19 and 2 1 -22 were rejected under 35 U.S-C § 1 03 a being unpatentable over 
the 4 9l 3 application in view of the '276 potent the *356 patenl and further in view of 
Menezcs et al. (Handbook of Applied Cryptography). 

4. We believe that we and our patenl attorneys were diligent just prior to the June 20, 
2001 filing date of the '9 1 3 application until the filing date of our application on August 
3, 200 1 based upon at least the following: 

Prior to June 20 r 2001, we submitted an IBM Invention Disclosure, identified as 
IBM RSW820000227, entitled "SECURE DELEGATION WITH EXISTING 
PROTOCOL FLOWS FOR PUBLIC KEY AUTHENTICATION OF THB CLIENT', 
which is attached hereto as exhibit A. Portions of this exhibit showing certain dates and 
non-relevant information have been redacted. 

On February 28, 2001 , Gerald R. Woods, in-house counsel for IBM, the assignee 
of the subject application* sent a letter to Timothy J. CTSullivan of Myers, Bigel, Sibley 
& Sajovcc, PA requesting that Mr. O'SulIivan prepare a patent application, assigned IBM 
Docket number RSW9200001 85 US I , based on invention disclosure RSW820000227 
entitled "SECURE DELEGATION WITH EXISTING PROTOCOL FLOWS FOR 
PUBLIC KEY AUTHENTICATION OF THE CLIENT', which is attached hereto as 
exhibit B. The invention disclosure is improperly identified as RSWS2 000027 7 in the re: 
line of exhibit B. 

On March 8. 2001, Timothy J. O'Sullivan sent a letter to Gerald R. Woods 
acknowledging authorization to prepare a patent application based upon IBM's Docket 
number RSW920000185 US I (corresponding to invention disclosure RSW820000227), 
which is attached hereto as exhibit C» 
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Ori May 18, 2001, Timothy J. O'SuMvan sent a letter to inventor John R. 
McGarvey enclosing an initial draft of the patent application prepared under IBM Docket 
number RSW9200001 85 US 1 , which is attached hereto as exhibit D. Also attached as 
part of exhibit D are the first five pages of the initial draft of the draft patent application, 
which is entitled "METHODS, SYSTEMS AND COMPUTER PROGRAM PRODUCTS 
FOR SECURE DELEGATION USING PUBLIC KEY AUTHENTICATIONS 

On July 20, 200 1 , John McGarvey sent un e^mai! to Timothy J. O'Sullivan which 
included corrections to the draft patent application. The e-mail is attached hereto as 
exhibit E. 



On July 23, 200 1 T Timothy J. O'Sullivan sent a letter to John R. McGarvey 
enclosing a final revised draft of the patent application. The letter is attached hereto as 
exhibit F. 

On August 3, 200 1 Timothy J. O'Sullivan sent a letter to Gerald R. Woods 
indicating that the application was filed on August 3, 2001 . The letter is attached hereto 
as exhibit Q. 



5. Evidence to establish a conception dale prior to June 20, 2001 for at least claims 1-7 
26-28 and 30-32 % can bo seen on page 2 of the IBM invention disclosure RSW820000227 
attached hereto as Exhibit A. In this document, "Created On 1 ' "Last Modified On" and 
"Submitted On" dates on page 1 have been redacted. Further, the date appearing in 
response to Question 1 on page 2 lias been redacted. Each of the redacted dates is prior 
to June 20, 2001. 

Evidence to establish a conception date prior to June 20, 2001 for each of the 
pending claims 1-32 can be seen on in the Summary section on pages J-5 of the initiaL 
draft patent application, attached hereto as Exhibit D. 
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6. As a person summing below: 

I hereby declare that all statements made herein of my own knowledge are true and that 
all statements made on information and belief arc believed lo be true; and further that the 
statements were made with the knowledge that willful false statements and the like so 
many are punishable by fine or imprisonment, or both, under section 1 001 of title 1 8 of 
the United States code, and that such willful false statements may jeopardise the validity 
of the application or any patent issued thereon. 

Full name of first inventor: yloL^ Ry^> ^ Mc /C^^ v/ £ tj 



Date: 



Invcntor f s signature: 








Full name of second Inventor: 





Country of citizenship: 



Date: 



OS 



Post-office address: 



jL-Q€ £. Mas, on £T Aft,% } AJ V Zy^O^ 
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EXHIBIT A 




Disclosure RSWfe-2000-0227 

Created By: John McGarvey Created On: REDACTED REDACTED REDACTED I 
■Last Modified By; Joh* McGarvey Last Modified On; REDACTED REDACTED! 



' fBM Confidante! m 



Summary 



Refuted fiefcts are marked wUKtto asterisk (*) #w? mpst bp f&e4 !r> to c«npto ttoltanri . 



Status 


infer Evaluation . ^ 


Processing Location 




Functional Area 


AfietmrrNTSd&e* 


Attorney/Potent 
Professional 




IDT Team 

[Submitted Date j 


StovAn MtiterfR*ieighftBM; Art Fraods/JUUriQMBM: DavH Kcefir-Mdaran/rivoli System*®T»vC* 
Systems; Alton K EdwrdsJRate&tflBM: Mark Pfitefft/R*Wgh/lBM: R Re dpa1h/fttfofah4Sta;. Scott 

Jay CasterffelelghfleM l> 




[REDACTED REDACTED REDACTfcli 


Owning Division 
detect 


3WG 


PVT Score 

C&TCulalB 


To calcufat© a PVT 6cmo. Use the 'Calculate fVT button. 


l^--mu'i--ilJi»l.l^iiBf 




Lab 




Technology Code 





Inventors with Lotus Notes IDs 
Inventors: JotawicGarawRafefchiiSM 



> ctonotag primary contact 



Inventor. 

Serial OW*D#pt 



. Managar 
Serial 



Manager Wame 



Inventors without Lotus Notes IDs 



IDT Selection 
Main Idea 



Secure Delegation wilfr Existing Protocol Flows far Public Key Authentication of the" Client 

* 



itaa^^ 

1. Describe your invention, stating the problem solved <tf appropriate), and irjdscatfng the advantages of 
using the Invention* 

Means for mutual public key authentication of a diem and server are well known to practitioners of me art 
The server to which the client Is autheritfc^^mey*cfraft a middle tier seirorf&r a distributed application, 
which accesses several back end servers on the client's behalf. It is often desirable for me middle tor 
server to "impersonate" the client identity whan communicating witn bade end servers. However, the 
existing approaches to client authentication havea drawback in that they do not provide a secure means 
of cfient impersonation, which is sometimes called delegation, 

2. How does the- invention sofre the problem or achieve an advant3ge,<a description of The invention* 
including, figures inline as appropriate)? 
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RSVVO-2OC0 0227 Secure Ofstegainn wish &dE&U>g Prptpcpl Hovv« fof Puttfic Kay Auth&ttio&ifDri trf (ha Ctiftra - continued 

PK1 authena*caUon involved the exchange of certificates and signed 'nonces - . A nonce Is a random 
number generated by one party in the exchange which is signed by the ether parly using its private key. 
The parry originating the nonce can then verity the signature so 3$ to authenticate the identity of the other 
parly. The idea of this invention is to have the middle tier server 6 and each of the back end servers c, D, 
E % ... and so on ait contribute to the generation of the nonce, by generating a prenonce token which 
rnctodes a random numbers provided by each of the participating servers. This prenonce taken is then 
reduced to a single nonce using a standard one way hash, such as MD5 or SHA. This nonce is passed in 
the SSL exchange, and the client signature for the nonce is obtained. The signed nonce Is then used by 
the middle tier server B in its communications with back end servers C. D. £. ... to establish with each of 
these servers the authenticated cfient identity, so that the middle tier server can impersonate the client on 
each or the participating back ends. 

3. f r the same advantage or problem has been identified by others (mside/outstte IBM), how have those 
others solved it and does your solution differ and why is h belter? 

ScvoraJ approaches have been proposed for PKi authentication with delegation, but none has been widely 
deployed because of various drawbacks. The approach described in this invention has a big advantage- Sn 
that no change is needed in the programs or data Rows on the cfcent side, and the ftirther advantage that it 
should otter reasonable performance. 

-4. If the invention is (implemented in a product or prototype, include technical dates*, purpose, disclosure 
details to others and ihe date of that Implementation. 
Not yet Implemented. 

"Critical Questions < Questions 1-7 must be answered) 
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REDACTED 

REDACTED 
REDACTED 




Patent Value Tool (Optional - this may oo used by the inverttor and attorney to assist with the evatu 
Pest Disclosure Text & Drawings 



<F6rm ««vtsed •32n7«'7> 
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* EXHIBIT B 




Software Group 
Intellectual Property Law 
T81/5Q3, P.O. Bos 12195 
R««wch Triangfe Park, NC 27709 



February 28,2001 



Mr. Timothy J, CSuJGvan 

Myers* Bigel Sibley & Sajovec, PA h 09 , 
1 11 Comlnfl Road 
Suite 260 
. Cory, NC 27511 



fief: AM Dockets: RSW92Q000185US1 (Dlsdoeure, R3W8-ZQDCV0Z77) 
RSW920010046US1 (Disclosure, RSW8-2000-0202) 

Tffla: Secure Delegation with Beefing Protocol Flows for Pubic Key Authentication or the Client 
Method of Using Kerberos or other Delegated Credentials Id Generate Secure Public Key 
Signatures 



Encfosed please find iroterete for preparing a patent ^pplfcafion for the aDove referenced doctoest We 
would Btetohave thi* explication filed vrifr the USPTO by June 1 r 2001, The Inventor involved wHh 
both applications is: 



If you have any question, or if you need anything additional please do not hesitate to contact me. 
Thank you for your assistance in this matter. 



Dear Tim: 



John McGarvey 



^18-254-7387 John McGaivw^im ifem^nrn 



Sincerely, 




GRWtDd 
EncfoeuPBS 
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Sum: 2 JO 
C*ac MC 87BI I 



* EXHIBIT C * 

Myers Biqel Sibley & Sajoyec, PA 



PATJSNT LAWYERS 



D* Randxl Ayes 
Derid D. Beatty 
MItdwilSBjgd 



Scott CLHaifteM 
ErinP.MidOl 

D. Scott Moore 
Imtttiby f. 6*Suffimn 



EMkhsdSajOTec 
CrmJ.Soott 
Kesneth Dl Sfeley 
Eotet J. Snflth 
Ettz&bcth A. Son wilt 

BichtnlP.Ytok* 



ftfT^LLECTUAl. PROPERTY 
RKTENTS 
'TRADEMARKS 
OOPYFW3HTS 
TRADE 



MbkIi8,2001 



Gerald R.Wowis, Esq. 
Department T81/Builiiiiig 503-5 

Xofianationcd Busmssw Machines Coip* 

Post OflSce Box 12195 

Itesearch TdaD^e Paifc,NC 27709 

KE: Secure Deie&ztinn Existing Protocol Flaws for Pi&fic Key 
AuthentUxttum of the Client 

IBM Pocket No. RSW^OOOOISSUSI: Our File; 5577-236 

Dear Jeny: 

Hank you for your letter dated Febrpacy 200 1 . aufhcnudng x& to prepare a 
prclqTtt ttppHrat^m -fry flte aiwwift^ffe lCT ft ncfl d ipvmtkm. PvsuantfD year matrac4juus» we 

filed by lime 1, 2001 if possible 

Best regards. 




TJOrtb 
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PO Ben 97426 




1 1 1 

O** NC 2751 I 



(919) B54-140O 



EXHIBIT D 

R3 BlGEL. SlBt-KY fik SaJOVE 



ft 



PATE NT LAWY ERS 



D. Sandal ^jett 
Ctaa'd t>. Batty 
Mitchell 5. Hgd 

JexhC* K- Cnymn 
Robert N. Ctomc 
Robert WOitz 



Sam C Hatfield 
BdnRMadfll 
Kuen A. Mapl 

JDt SovbMckbc 
Tsxnej D* I^tcex 
Timothy J. 



JliUcH. Richardson 
H Michael Stjovve 

Ox Mil J. ScDtt, 

Kenneth D. Sibley 
lfibeA ). Smith 
Bl«aUthA.5ttDdc 
J. Mttud StrickUnd 
Richard E Vta*k? 



INTELLECTUAL PAOHtK l i 
fWEMTS 

- TRADEMARKS 
COPtlFa'OKTH 
TRADE SECRCTB 



May 18,2001 



Me. John McGarvey 
Division 7J/Departmerd: PE9 A 
£BM Coxporalion 
Post Office Box 12195 
Research Triangle Park, NC 27709 



VIA HAND DELIVERY 



RE: 



Dear Jerry: 



Methods, Systems and Comptaer Prog r am Products fir Secure Delegation 
Using Public Key Authentication 

IBM Poefcet NO. RSW920000 1 85US 1 : OurFite 5577-236 



Enclosed is an initial draft of a patent application directed to the above-identified 
invention for your review. Please provide copies to David Knehr-McLareu. Tins is only 
a draft, so feel five to make additions, deletions, substitutions, and the liter 



As you know, it is essential that the patent application, as Sled, be technically' 
accurate and complete, and that it set forth the best mode of carrying out the invention, 
because new matter may not bo added to the descriptive portion after filing We therefore " 
ask that you carefully review the draft ibr tcehxtfcal accuracy *nd completeness, and 
advise us of any suggested cbangee or corrections. Your changes and suggestions will be 
carefhUy considered in the preparation of the final draft. 

Out of an abundance of caution, we are requesting that you confirm that the 
proper inventive entity has been identified for the claimed inventioD(a). As you may be 
aware, inventorship is determined by the subject natter of die claimed invention. 
Generally stated, to be an inventor one must have made an actual contribution to the 
conception of Ac operative invention that is claimed. There may be joont inventorship 
even though the joint inventors (a) did not work physically together or at the same *fr»^ 
(b) did not make an equal contribution, or (c) did not make a contribution to the sutgect 
matter of every claim of the patent. A worker who merely carries out the instructions of 
another or only provides implementing devices to carry out another's ideas where the 
effort to do SO is the exercise of one of ordinary skill xs not typically an inventor, Further, 
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Mr. John R. Md 
May 18, 2001 
Psge2of3 

persons listed as contributing to an article describing or related to the invention are not 
necessarily invartors. Please feet free to call with any questions that you may have on 
this issue. 

We wouMebo like to point out that an inventor is required to make a Declaration 
when their application is filed in the UJ5: Patent and Trademark Office (USPTO), 
actoowledgiag a duty to disclose information of which they are aware said winch may he 
considered to be material to the examination of the application. '"Material" in this respect 
is defined as information that a reasonable examiner would Kkely consider important in 
deciding vthefha to issue a patent ''Material 1 * information as defined above may 
possibly include devices, products, publications, etc. that are similar to the invention and 
were publicly known before the invention, and it may also include any public disclosure, 
commercial use, or offer of sale of the invention more man erne year prior to the filing 
date of the application. The USPTO encourages applicants to oamfiiUy examine 1) prior 
art cited in search reports of a foreign patent office in a counterpart application and 2) the 
closest information ova- which it is believed any pending claim patenlably defines id 
ensure that any "material" information, contained therein is disclosed to the USPTO. 

If you axe aware of any reformation that you believe might be considered 
"material/' it is vitally important that it be brought to our attention as soon as possible 
(delays may result in a loss of patent term). We can then make a deteftttination whether 
the information should be brought to the attention of the Patent and Trademsk Office 
under the applicable rules. Please also bo aware that the duty to disclose "material" 
information continues throughout pendency of the application* until the application issues 
asapatent 

You should alao be aware mat certain activities either in the United States or 
foreign countries prior to filing of the application in the Unified States may have a bearing 
on the ability to file corresponding ^plications in foreign countries under me applicable 
international treaty. These activities could include public disclosure of the invention in 
either written or oral form, ajch ^as published articles, patents^ product announcements,, 
and proposals^ as well as through commercial exploitation of the invention, including 
public demonstrations, offers to sell, and sale of products incorporating me invention, If 
you would like to preserve your right to file corresponding foreign applications on mis 
invention, we recommend that all such activities be avoided uutO the U.S. application is 
on file. 

Pursuant to recent changes in the law, a U.S. application will be published 
approximately eighteen months after the earliest priority date to which tfie application is 
entitled, unless a specific non-publication request is made. Publication may in some 
circ um sta nces provide additional infringement damages. Thm are additional feea 
associated with publication and third parties may submit re feren ces against the published 
application to the Patent Office. A req uest to not piirfieh the application mugt be filed $t 

me friiB pf ffliny the gp^Hcation and ppnifft fnrfnrie a reartiffegrinn thtn *hft inwntimi h»e 
not and will not be the subject of an application filed in a foreign country fe.e» . under an 
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Mr. John R. & 
May IS, 2001 
Paged of 3 



ijilsraatioxLal agreement such as If 
you later wish to file an ap plication in a Ibreign country* we must p i uiupll y rescind the 
non-piblicaticm request to avoid abandonment of the application. A request to withhold 
publication will incur additional fees and expenses. If you would lite for us to file a 
request to prevent publication of the application* please inform us immediately in writing. 
We will 2££ request nan-pnblieatioa of the appbestian unless you instruct us to do so. 

Once you have bad an opportunity to review the draft application, please let me 
knowas eoonasposs&le. As always, please feel free to call us with any questions that 
you may have - 

We axe to file this by June 1, 2001 and would, therefore* ap p i e cifl te any 
comments by May 25> 2001. 

Best xegante. 



Sincerely, 




T5rnolhy J- OSulEyan 



TJOAb 
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Attorney Docket No-: 5577-236 



METHODS, SYSTEMS AND COMPUTER PROGRAM PRODUCTS FOR 
SECURE DELEGATION USING PUBLIC KEY AUTHENTICATION 



Field of thft Invention 
The present invention relates to authentication/and moie particularly to 
5 authentication of a client when delegation is utilized to access a server. 

Background of the Invention 
Networked computer applications are often deployed using a 'tiered" 
modeL In this model, the originator of a request for a unit of work (also referred to 

10 as a "principal") typically initiates that work via a client program (first tier)* which 
then communicates to a web server, or similar second tier server (also referred to as 
a middle-tier server), which itself communicates, on behalf of the request 
Originator, to other middle-tier servers and/or to third or fourth tier servers such as 
database servers or other resource managers. When the request is processed by the 

15 resource managers, they, typically, evaluate whether the request originator has been 
authenticated and whether they are authorized to perform the unit of work. The 
resource managers, typically, also record access by the originator of the request in 
appropriate audit logs. . . 

Such a tiered approach to networked applications may create a need for the 

20 secure propagation of security credentials of the request originator through each of 
the tiers of the application, Li such propagation of secure credentials, the request 
originator delegates to the middle-tier servers the authority to access other servers 

H3fiv»aobooiasttsi -1- 



PAGE 17/24 * RCVDAT 10/24/2006 2:03:55 PM [Eastern Daylight Time] • SVR:USPTO-EFXRF-5/8 ' DNIS:2738300 ' CSID:937 438 2124 ' DURATION (mnK$):05-44 



10/24/2006 TUE 14:07 FAX 937 438 2124 STEVENS AND SHOffALTER 



l2)01$/024 




on their behalf. Thus, the secure propagation of the credentials of the request 
originator (the requesting "principal 11 ) may be refined to as "delegation" or 
"impersonation*' 1 

One conventional approach for a&ynchr^ 
5 is to create a digital signature for the message* The digital signature is based on a 
prubKc/prxvaie key pair. An example of such a digital si gnature approach to 
authentication is Public Key Mfrastntctoc (PKI) authcaticatioBL In PKI„ typically, 
a nonce, which may, forrestanipie* be a 60 bit random number, is generated hy a 
party, such as a server, and provided to the client. The client signs die nonce with 

10 its digital signature and returns the signed nonce to (he server. Typically, the 
server evaluates the digital signature of the client by decrypting the signed nonce 
with die public key of the client, which may be obtained from a certificate 
associated with the client, and coinpariiigtbedeciyptednaziceto the notice 
originally seat If the nonces are the same, the signature is authentic. In such a 

15 manner, the server may be assured of the autbeuticify of the client. 

One difficulty with such a PKI authentication procedure is that it may be 
difficult to provided delegation of client authentication in certain circumstances. " 
For example, a request from a principal through a client may pass through * 
middle-tier server which, in response to the request, accesses multiple third or 

20 fourth tier servers (also zefcied to as back-end servers). In such a case, the 

middle-tier server may need to eruth enricate die principal or the client to multiple 
back-end scrvcis. Such a delegation of authentication may difficult in light of the 
multiple servers for which the client may need authentication. 



25 Summary of tftft Invenfinn 

Btnbodimoits of the present invention provide methods, systems and 
computer program product* ibr a middle-tier server to impersonate a client to a 
plurality of servers. A common nonce associated with each of the pJnrality of 
servers is obtained and the common nance to the client. The co mmon nance 

30 signed by the cheat is received at the middle-tier se rver and provided as a signature 
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for transactions from the client to the plurality of servers so as to authenticate the 
client to the plurality of servers 

In further embodiments of the present invention, obtaining a common 
nonce is provided by generating a common nonce based on iirfsnnation obtained 
5 from each of the plurality of servers. In such embodiments, generating the 

common nonco may be accomplished by obtaining pre-nonce oontnbutions from 
the plurality of servers, combining the pro-nonce contributions to provide a single 
ptMionoo token And providing die common nonce based on the pra-nonce token. 
The common nonce may b e provided by reducing th e pre- nonce token to provide 
10 the common nonce. Furthermore, the pre-nonce contributions may be combined Co 
provide a single pre-nonce token by concatenating the pre-nonce ooartribntioas. 
Also, the pre-ttofloo token may be reduced to pxovede the common nonce by 
hashing Che pre-nonce token utilizing & one-way hash function so as to provide the 
common nnnro 

15 M additional embodiments of the pi e& ta i t invention,, obtaining pro-nonce 

contributions maybe provided by requesting a pro-nonce contribution from each of 
the plurality of servers and receiving (he pre-nonce contributions fom the plurality 
of servers* The request for a pre-nonce oonfrthiitkm may be pmvMnl fry gmHing 
Butheotieated requests to the plurality of servers. Additionally, Qie authenticated 

20 requests may be sent to the phwality of servers may be encrypted. The 

authenticated request may include at least one of an identification of a source of the 
request* a time *d and a random number* 

In still fUrther embodiments of the present invention, the pre-nonce 
contributions include at least one of an identification of a server of the plurality of 

25 servos and a random number. Furthermore, the pre-nonce contribution* may be 
signed with a si gpoaturc corresponding to a server from which the pre-nonce 
contribution was obtained, hi such embodiment*, the signatures may be 
incorporated in the pro-nonce token. 

in yet further embodiments of the present invention, the pn>nonce 

30 contributions axe signed with a signature corresponding to a server from which the 
pTMiance contribution was obtained, hi such embodiments, the signatures of the 

K5W93Q0001S5C61 -3- 
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pnfrt ion ce contributions arc authenticated and the pra-nonce contributiaDS for 
which the digital signature are not authentic etc rejected. 

In still further embodiments of the present invention, a transaction 
identification is received Scum, a trusted server of die plurality of servers and the 
5 transaction identification associated with the common nonce. Use of the common 
wko may bo tracked bused on the transaction identification. 

En additional embodiments of the present invention, an expiration time is 
associated with apre-nonoe oontcibntion and it is detexadxted if the pro-nonce 
contribution has expired based on its associrtad expired nn tirr** In such 

10 embodiments, the common nooce may bo received at a server of the plurality of 
servers and a pro-nonce contribution associated with the received common no n ce is 
determined. Tho received common nonce is accepted if the associated pre-nooce 
cotrtribution has not expired. 

In yet additional erabcdimeixtg of the present invention, at least one of the 

1 5 plurality of servers receives a client certificate, determines if the client certificate is 
misled and indicates that the client is not authenticated if the client certificate is 
not trusted. FmOietuioiu. the signed common nonce and a client certificate mny h*» 
received and it is determined if the signature ofthe signed common nonce 
corresponds to a signature of the client certificate. Tho client is not authenticated if 

20 the signature of the signed common nonce does not correspond to the signature of 
the client certificate. The signed common nonce, be common notice and tho pre* 
nonce token may also be received and the received pre-nonoe token hashed. The 
ha^edpiMonceicJceiiis compared to the common nonoe and the client is not 
authenticated if the ftnshpni pre~nonce token is different from the common nonce. 

25 The pre-nonce token may also be received at one of the plurality of servers ad it 
determined if the pro-nonce trifeien includes a tandem number associated with fbo 
receiving server. The client is not authenticated if the pre-ronce token does not 
include the random number associated with the receiving server. Additionally, an 
expiration may be associated with the random number ft^^H wfth the at least 

30 one of the plurality of eervcxa and the client is not authenticated if the pro-nonce 
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token does not include a random number associated with the at teast one of the 
plurality of servos which has not expi red. 

In stDI flatter embodiments of die present Invention, the common nonce is 
obtained by obtaining the common nonce fiom a party trusted by the middle-tier 
5 server and the plurality of servers. The common nonce is signed by the trusted 
party. Tte aignatore of &e common nonce is verified the signature of the trusted 
party: In further embodiments, at least one of the plurality of servers receives a 
client certificate and determines if the client certificate is trusted The client is not 
authenticated if the client certificate is not trusted. The signed common nonce and 
ID a client certifieatetnay also be received and it determined if the signature of the 
signed common nonce corresponds to a ^gnamre oftheciiem certificate. The 
client is not aulh cn l i r fitrd if the signature of the signed common nonce does not 
correspond to the signature of the client certificate. 

As will further be appreciated by those of skill in the art, while described 
15 above primarily with reference to method aspects* (he present invention may be 
embodied aa methods, apparatusrisystama and/or computer p iu &iaj q products. 

Brief Pescrtoftori of the Drawings 
Fiji re 1A tea block diagram ilhisfxBting a system incorporating 
20 embodiments of the present invaAkm; 

Figure IB is a block diagram illustrating a system incorporator alternative 
embodiments of the present invention^ 

Figure 2 ia a block diagram of a data processing system according to 
emhodfagqgte of the present invention; 
25 Figure 3 is a more detailed block diagram Of a data processing system 

according to emboduimts of the present invention; 

Figure 4 is a flowchart illustrating operations of a middle-tier server 
according to embodiments of the present invention; 

Fignre: 5 is a flowchart illustrating operations for common nonce 
30 generation according to embodiments of the present invention; 



fisrosopoaissTOi 
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EXHIBIT E 




Tim Q*3ullh/an 



Sent: 

To: 

Cc; 



Subject: 



From: 



John McOarvey tmcgsffveyAu&lbmxofing 
Friday, Juty 20, 2001 2:19 PM 
Tkn (TSuBvan 
Davfal Kuehr-McLsren 

RE: Re dfedoeurc Attorney docket 5577-236 



Tim* 



I finally got a chance to ccirib through your wrlte^p . X think it is vary 
good, and tbeee changes are only litrtle additions for elarlty. 

Pi, end of line 15, add: This means- of authenticating the client is used, in 
a variety of computer protocols, including Secure Sockets I*ayer (SSL) and 
. Transport Layer Security (TLSJ . 

line 29: servers is obtained, and tben the common nmee Is sent to tfte 
client- The common nonce is digitally signed by the client, and is 
received » . • 

M line 21 The signed common nonce and the pxe-nonce tobm may 

line 23: ... plurality of servers , where it is determined if the 
token includes a pre-nonoe contribution from the receiving server * For 
escainple, if such contributions are digitally signed before they are 
contributed* the receiving server say verify its signature. Xbe client is 
not authenticated • • • 

Figure lAr figure IBs Bare in the figures r where He Indicate "signed 
nonce" passing from the middle tier server to the back end server, Me 
may instead want to use the phrase "authenticated request packet" , with 
explanations that this includes the request itself, the pre-nonce tofeen, 
the client certificate, and the signed nonce* Xt may also be useful to 
show that Sexvar 20 could, optionally, forward a request packet with a 
request, pre^-noaoc token, client certificate* and signed nonce, to one of 
the other servers (22 or 24 in the disarm) » This shows the idea of 
furtner downstream chaining of delegated authority- 

Figure 8: block BIO has a typo: Slgature should be signature. 

That's all the changes I have to recommend, sorry it took so long. 
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J»jkTTE3*JT LAWYERS 



D. Kanrfsl A$*a3 

Jasae? It Carmen 
KoGtatN. Goiise 



Scoa G. HaifeM 

flL Scott ££©ore 
Jems* S5l Myses 

JnSy 23,2001 



fulls S3. EUch*riten 
Rofcszt J, &affi& 



8NraiSEmjAU PROPERTY 

TRADEMARKS 
CQFYRICWTB 
TRAD£ SECRETS 



Mr. JofaR. MsGarvey 
Division TMtepsstoent PE9A 



Post QSSee Box 32195 

Research Triangle Paxk,-NC 27709 

RE: Ms&tods; Systems es®d Gcmsps&sr Program Products for S<SG23^s O^w^Htm TJsinz 



3KM Backet N<x BgWMCOOQlMlUBl: Onr Fife: 5577-^ 



Dear John: 



daiecteS to fiie ^bow-identified mven&ica. Afls© eeelosed are &3 Decte^o^ aittd Power of 
Atfc&mey sad tte Assigzsmemt fijr confessing ovm&ship in ItoftnE^oa^ Biaskess MgscMnes 

As piously noto^ ft ^ 
sxxanate and compter v fe 

S^^afAStoira^ Pleassmafe? ffi&e fits egiplScsakia EEmst be-eoBBpleKsa 

natastedagd dated, id^a^ 

Pfeese retarn all OTtgmai, execaiia&d deeismsots as 
United States Patent Oifice. 



TJO/t£> 
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D. Randal J&ett 
BwidD.fiewy 

NOtaieas-Bigd 

Socvjmi J. Bkwac 
Needhan J_fioddfe,II 
JametR. Cmoa 

K6bat\*G3ats 



SttxiC.Hft*6e!4 
Erin f! MftdlK 

Robert M.Mttka 
Timothy J, O'SuDxvtit 



Mio H. Richardson 
E Mkhad Sajovec 
Grant J.5eett 
Kenneth r>, Sfbtay 
Robot J % Smidi 

|, Michael SttfcfchiKi 
lUchard E Vltek* 



u^rajLec™AL. PROPERTY 

'•TRADEMARKS 
OOPVRkSKIS 
TRftPK AE CR gre 



AUgUSt 3,2001 



GexaldR. Woods, Esq. 
Depactoiaat T8I/Bmldiiig 503-3 
Intellectual Proper t y Low Department 
International Business Machines Corp. 
Post Office Box 12195 ' . 
Research Triangle ParicNC 27709 

RE: McGarvey, et aL Methods. Systems And Computer Program Products For 
Secure Delegation Using Public Key Authentication 
IBM Docket No. RSWrafflMI SSTJS1: Our File: 5577-236 

Dear Jerry: 

Hie above-rerereoced application (copy enclosed) was filed in the United States 
Patent and Trademark Office by ths express nud procedure on Angnst 3, 2001 > and 
^iridrecdve this date as the ofif^ We have also enclosed a diskette 

o on t ajniqg the application in WordPerfect 6J) format arjd the drawings in VISIO 4*0 
fibxmat. 

If you have any questions or comments please fed free to contact us at your 
convenience. Thank you again for the o^portointy to osast >w m niattar. 

Best regards. 

Sincerely, 



Timothy J. CJStiUrvsn 

TJQftb 
Enclosures 
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